Security agents workflow: auto-review PRs on Azure DevOps, GitHub & GitLab

April 21, 2026

Thinkode AI

3 min read

ThinkReviewSecurityCode ReviewDevSecOpsProduct

Security agents workflow: auto-review PRs on Azure DevOps, GitHub & GitLab

ThinkReview security review agents on a pull request with custom checklist and references

Pull request security reviews are easier to trust when they are repeatable and grounded in references your team already uses—OWASP guidance, internal secure-coding standards, or pentesting playbooks. ThinkReview is an open source browser extension that runs on GitLab, GitHub, Azure DevOps, and Bitbucket, so you can define review agents (custom checklists) and apply them where your code already lives.

Below is a quick tour of the workflow: define an agent, attach a reference, run the review on a PR, and read findings mapped back to that context.

Example: a pentesting-focused review agent

In this example we set up an agent focused on pentesting-style issues.

Define the agent’s goal and scope — what classes of problems it should emphasize (e.g. injection, auth, secrets, unsafe APIs).
Provide a reference the model should lean on—for instance external guidance such as STRIKE Graph: pen testing best practices, plus your own policies if you paste or link them where the product allows.

Defining a security review agent goal, scope, and reference in ThinkReview

You can maintain multiple agents for different teams or risk profiles (ThinkReview supports up to ten review agents).

Review agents list showing you can create multiple specialized agents

Run the review on a PR

Trigger a review on the pull or merge request page as you normally would with ThinkReview. The extension evaluates the diff with your agent’s instructions and reference, then surfaces actionable findings in context.

Running a security-oriented review on a PR with ThinkReview

On the example PR below, ThinkReview flagged OWASP-related issues using the reference material we provided—so reviewers can see why something matters, not only that it was mentioned.

OWASP-oriented findings from a pentesting-focused agent on a PR

Why this helps across Azure, GitHub, and GitLab

The same workflow applies on Azure DevOps, GitHub, GitLab, and Bitbucket: you stay on the native PR/MR page, keep vendor workflows and permissions, and add a consistent security lens without standing up a separate bot for each platform.

Install ThinkReview

ThinkReview is open source:

Repository: github.com/Thinkode/thinkreview-browser-extension
Site: thinkreview.dev

Chrome Web Store

Firefox Add-ons

Originally published on Medium: Easy security agents workflow to review PRs on Azure, GitHub and GitLab.